Virtualization Technology News and Information
Article
RSS
Oasis Security 2025 Predictions: Non-Human Identity Management (NHIM) Will Become a C-Level Priority, Yet Challenges Managing NHIs Persist

vmblog-predictions-2025 

Industry executives and experts share their predictions for 2025.  Read them in this 17th annual VMblog.com series exclusive.

By Yonit Glozshtein, Director of Product Management, Oasis Security

Cybersecurity incidents stemming from the exploitation of non-human identities (NHIs) put business continuity at risk. In a recent security incident, Cisco confirmed that a threat actor accessed and downloaded its data and customer data. The threat actor offered to sell the stolen data on BreachForums, describing some NHI secrets from its content - hard-coded credentials, certificates, API tokens, and private keys. Cisco later added that the data in question had been in a public-facing DevHub environment. Cybersecurity incidents have devastating consequences, including erosion of customer trust, partner attrition, data exfiltration, and monetary loss.

As awareness of the need to properly secure and manage NHIs grows, CISOs are prioritizing Non-Human Identity Management (NHIM). In practice, this means allocating additional budget to address identity management gaps that have long been overlooked. Research from analyst firm Enterprise Strategy Group (ESG) found that 83% of organizations expect to spend relatively more on NHI security in the next 12 months, with nearly one in five expecting to spend significantly more.

Despite the recognized importance of NHIM, many organizations are guided by fear when it comes to how they manage their non-human identities. Consider secret rotation: whether prompted by a breach, a compliance mandate, or the need to enhance operational efficiency, it remains an indispensable practice. However, in many cases, secret rotation is performed only as a last resort and brute force rather than programmatically operationalized. Security and IT leaders may be familiar with the notion of the "scream test," which consists of removing the item and waiting for the screams because something broke. If someone "screams", put it back; in this particular case, secrets are disabled to see who complains, indicating the secret's active use and user.

In addition to endangering business continuity, this manual process is tedious, incomprehensive, unrepeatable and leads to oversight, inefficiency, and increased risk of exposure. Automated tools and processes are essential for ensuring comprehensive, efficient, and repeatable secret management across the organization. Only with reliable automation can organizations make secret rotation a programmatic, seamless process that works in the background without causing unnecessary operations or business disruption.

Stale or orphaned NHIs that should have been decommissioned - but have not been - also pose a risk. An orphaned NHI is an NHI that is no longer in use but is still enabled and has active permissions. Stale or orphaned NHIs are generally the outcome of changes in business operations, such as concluding work with third-party vendors, shifts in organizational structure like an employee leaving the company or transitioning to a new role, or technology changes, such as replacing an application. These NHIs represent a significant danger as they increase the attack surface and can serve as potential backdoors for extended periods without detection. Cases like Cloudflare's recent incident demonstrate these issues first-hand.

However, offboarding NHIs is a complex and error-prone process without the right tool for the job. The most common pain points include: Lack of visibility - users are not aware of which NHIs are unused - and operational risk: users don't know what an NHI is for, and fear breaking something. Insufficient understanding of security posture, rapidly evolving business needs, and ambiguous ownership are additional challenges. With that, there exists a juxtaposition: failure to follow best practices creates huge risks for enterprises, yet implementing them leads to issues without the proper solutions in place. In 2025, there is a burgeoning need for organizations to adopt a proactive approach to non-human identity management.

Organizations must seek solutions that provide a holistic inventory of NHIs with rich contextual information. By investing in comprehensive NHI governance and management practices, organizations can mitigate the risks posed by these security holes. This, in turn, will strengthen their security posture, safeguard sensitive data, and help ensure compliance with regulatory requirements in an increasingly complex and interconnected digital landscape.

##

ABOUT THE AUTHOR

Yonit Glozshtein 

Yonit Glozshtein is the Director of Product Management at Oasis Security.

Published Thursday, December 12, 2024 7:32 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2024>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234